Contact   •   Products   •   Search

Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs

Using programmatic Impersonation from an ASP.NET Page


Several times I've heard the following question asked:

I have an ASP.NET application and I need access to network resources that my account running ASP.NET  does not have. How can I change the permissions at runtime without setting up Impersonation or using a high privilige account for my ASP.NET user account?

In short, how can you raise permissions of an ASP.NET request at runtime to perform some task that requires rights that the standard account ASP.NET runs under cannot handle?

To accomplish this you can use various system API calls (LogonUser, ImpersonateLoggedOnUser and RevertToSelf) to change the currently active account ASP.NET runs under. This would be  Environment.UserName as opposed to Page.User. Environment.UserName returns the threads currently logged on user. Page.User returns the name that ASP.NET verifies through Authentication and this user in most cases is independent of the Windows logon that is running the current thread. For anonymous requests Page.User is blank, while Environment.User will be NETWORK SERVICE (or ASPNET on IIS5).

The only time when Page.User reflects Environment.User is when Impersonation is enabled in which case the ASP.NET automatically changes the impersonation on the underlying ASP.NET thread to match of who's logged on. For anonymous users this will be the IUSR_ account or if logged on the user who logged on.

With the API calls mentioned above you can change the thread's security environment. The idea is, you can log on as a user, change the impersonation to that environment, do your thing then revert back. Let's look at how to do this first before going over some caveats. Given that you have rights to use PInvoke calls to make these API calls (NETWORK SERVICE generally does have these rights) the following code can be used to accomplish this:

using System; using System.Collections; using System.ComponentModel; using System.Data; using System.Drawing; using System.Web; using System.Web.SessionState; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.HtmlControls; using System.Runtime.InteropServices; using System.Text; namespace Westwind.WebStore.Demos { /// <summary> /// Summary description for Test. /// </summary> public class Test : System.Web.UI.Page { const int LOGON32_LOGON_INTERACTIVE = 2; const int LOGON32_LOGON_NETWORK = 3; const int LOGON32_LOGON_BATCH = 4; const int LOGON32_LOGON_SERVICE = 5; const int LOGON32_LOGON_UNLOCK = 7; const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8; const int LOGON32_LOGON_NEW_CREDENTIALS = 9; const int LOGON32_PROVIDER_DEFAULT = 0; [DllImport("advapi32.dll", SetLastError=true)] public static extern int LogonUser( string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken ); [DllImport("advapi32.dll", SetLastError=true)] public static extern int ImpersonateLoggedOnUser( IntPtr hToken ); [DllImport("advapi32.dll", SetLastError=true)] static extern int RevertToSelf(); [DllImport("kernel32.dll", SetLastError=true)] static extern int CloseHandle(IntPtr hObject); private void Page_Load(object sender, System.EventArgs e) { Response.Write( Environment.UserName + "<hr>"); IntPtr lnToken; int TResult = LogonUser("ricks",".","supersecret",
LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,
out lnToken); if ( TResult > 0 ) { ImpersonateLoggedOnUser(lnToken); StringBuilder sb = new StringBuilder(80,80); uint Size = 79; Response.Write( Environment.UserName + " - " +
this.User.Identity.Name + "<hr>"); RevertToSelf(); Response.Write("<hr>" + Environment.UserName); CloseHandle(lnToken); } else { Response.Write("Not logged on: " + Environment.UserName); } return;
}
}

To use this code change the username and password in the call to LogonUser to a valid local or domain account (see MSDN Docs for exact syntax to use for domain accounts and machine names).

When you run this code you should see:

NETWORK SERVICE
ricks
NETWORK SERVICE

which corresponds to the original account the page is running under, the Impersonation that I applied, and then after I reverted back to the original account.

Note that you should make sure to close the Token handle returned after you are done with your request, preferrably in a Finally section so you don't leak handles.

Actually you don't have to revert back - ASP.NET assigns security to the ASP.NET thread before your request starts, so Revert is not really required.

Caveats

Now is this a good idea to do this in your code? Not really, because it's obviously a potential security risk. There are two things that are a problem here.

First you need to run under an account that has rights to make PInvoke calls which is by no means guaranteed. Many multi-hosted ISPs will set up very low right accounts for their sites so that you may not be able to actually perform these tasks. OTOH, it's unlikely that in an ISP scenario you would actually need access to additional resources that require impersonation.

Second and maybe more importantly using LogonUser requires that you use a password and that password has to come from somewhere. This means somewhere in your system you have to store this password and retrieve that password which can be compromised and then potentially be used to further penetrate security. A fairly far fetched hack scenario that would require somebody pretty damn familiar with your architecture, but still a threat.

You can also impersonation system accounts like SYSTEM and NETWORK SERVICE which don't require passwords (pass "" for the password), but most likely these accounts are not what you need to get your job done - for example access another machine on the network.

Alternatives

Ultimately the solution to this problem is to set up your ASP.NET application with the right account with the exact rights it needs. While I think security is important it's always been my feeling that if someone can penetrate your network and compromise ASP.NET pages - they're in too far already to not be able to do the rest (like changing web.config and stepping down security), so I am usually not opposed to running ASP.NET in slightly elevated security modes to match my needs.

Another option for those one off requests is to use Impersonation and Windows Security in a separate directory. I do this in several of my applications where several admin requests require elevated rights. These pages sit off in a seperate directory with anonymous access off and Impersonation enabled in a separate web.config (or a Location section in the main web.config).

An example of this is my Configuration class manager which has the capability to write Config changes back into Web.Config. I don't want to give NETWORK SERVICE rights to write any files in my main application directory, so I have my Configuration page off in an Admin directory. Admin requires Windows Security and then uses Impersonation, which means it runs under my Admin account on the server once I've logged in with my username and password.

<location path="admin"> <system.web> <identity impersonate="true" /> <!-- WS: Allow only Authenticated users --> <authorization> <!-- allow users="*"/ --> <deny users="?" /> </authorization> </system.web> </location>

I can set this up in a couple of ways. Here I do it all through ASP.NET's impersonation and security settings which deny access to non-authenticated users to these Admin pages. I could also set this up with directory security on the Admin directory and simply remove IUSR_ to achieve the same effect although I would still need the impersonate setting in web.config.

This works well as long as the requests in question can be easily isolated and users are that are accessing these requests indeed can authenticate, which is not always the case.

Use with care... and don't impersonate GrandMa - it ain't nice!

Make Donation


Feedback for this Post

 
# Using programmatic Impersonation from an ASP.NET Page
by CodeBetter.Com Link Blog February 25, 2005 @ 4:20am
# re: Using programmatic Impersonation from an ASP.NET Page
by banti February 28, 2005 @ 1:22am
This article is very useful to me, i want to know how can i change impersonate for the whole applciation programtically.

My requirement is that once a user is logged in, he requests some pages and then he want to switch as another user, and will request more pages.

i am giving a seperate form to get user details (username, password, domain) to log in as a different user & i am changing impersonate as per your code. but this impersonate is limilted to that page only, when i am checking the same user on different page, its again givin me the origional impersonate and not the changed one.

thanks,
Banti
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl February 28, 2005 @ 11:46am
You can't persist any impersonation across pages because this is a Web application and each request must re-establish its state. Impersonation is handled by IIS and it will assign its default impersonation on every hit. So if you need custom impersonation you need to manage that in your own code using the approach above ON EVERY REQUEST!
# re: Using programmatic Impersonation from an ASP.NET Page
by Greg March 28, 2005 @ 4:55am
This is an excellent article. I have a question about deployment though. I have setup this and it works fine in my development environment (laptop). I deployed it to our win2k server and it is acting like the username/password/domain is incorrect. I know the information is correct. Are there any additional setups that need to be done say to the local policy or anything like that? Thanks.

Greg
# re: Using programmatic Impersonation from an ASP.NET Page
by Sandu April 14, 2005 @ 4:05am
Is it posible to use this code for maintain this impersonation during the whole session ?
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl April 14, 2005 @ 5:11am
No. ASP.NET assigns impersonation at the beginning of every request on the inbound thread. Since you can do this on every request this shouldn't be problem though.
# re: Using programmatic Impersonation from an ASP.NET Page
by Kevin April 20, 2005 @ 12:38pm
I need to give the ASPNET account access rights to network resources. Can someone direct me to using Impersonation...? Is this the best way to do this or can I change ASPNET users rights directly? Also, does ASPNET user automatically have rights to running custom made DLLs?
# re: Using programmatic Impersonation from an ASP.NET Page
by Clear-RCIC April 26, 2005 @ 6:33am
Good article. I wrote some similar code about a year ago. I had to call Microsoft to get the details of what this article explains. Everything you've written appears to be accurate. However, to solve the problem of persisting impersonation between pages I checked group membership after a form logon. If they were a member of any windows groups that I was filtering, I set a session variable Session("IsInThisGroup")=True. This allowed me present dynamic links and content based on who had logged on.
# re: Using programmatic Impersonation from an ASP.NET Page
by suman April 27, 2005 @ 2:28am

i badly need help. pls find the
code below
here i am passing the username and password to the network credential object inorder to authenticate the proxyserver. Instead I want to authenticate the proxy server using the currently logged in windows user. Do u have any clue abt how to do this ? pls help

Dim myHttpWebRequest As HttpWebRequest = CType(WebRequest.Create("http://www.testsite.com"), HttpWebRequest)
Dim myProxy As New WebProxy("http://isa:80", True)
Dim x As New NetworkCredential

myProxy.Credentials = New NetworkCredential("myusername", "mypassword", "mydomain")
myHttpWebRequest.Proxy = myProxy
Dim myHttpWebResponse As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)
Dim receiveStream As Stream = myHttpWebResponse.GetResponseStream()
Dim encode As Encoding = System.Text.Encoding.GetEncoding("utf-8")
Dim readStream As New StreamReader(receiveStream, encode)
Dim read(256) As [Char]
Dim count As Integer = readStream.Read(read, 0, 256)
# Understanding ASP.NET Impersonation Security
by Rick Strahl's WebLog May 18, 2005 @ 1:10am
Understanding how ASP.NET's internal security works is important if your application needs to access resources on the local machine. Specifically it's important to know exactly which account your ASP.NET application is running under. This entry reviews different ways of how this account is affected by different versions of Windows, and ASP.NET configuration.
# re: Using programmatic Impersonation from an ASP.NET Page
by stardawg May 31, 2005 @ 12:47pm
This works fine for accessing local files. However, when I try to access a file share on a win2k box from an asp .net page on a win xp box it breaks?

Please advise.
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl May 31, 2005 @ 12:53pm
It should work as long as the account you are using has the proper network rights.
# re: Using programmatic Impersonation from an ASP.NET Page
by stardawg May 31, 2005 @ 1:02pm
I am trying to copy a local file to a network share. The impersonated user has access to the share, but I get this error

An unhandled exception of type 'System.Web.Services.Protocols.SoapException' occurred in system.web.services.dll

Additional information: Server was unable to process request. --> Access to the path &quot;\\serverName\BIER\BIER_PrintService\Queues\HTML\TEST.html&quot; is denied.


here's my code:
WindowsImpersonationContext impContext = null;
try
{
impContext = NetworkSecurity.ImpersonateUser(
"DOMAIN",
"user",
"pwd",
LogonType.LOGON32_LOGON_NETWORK,
LogonProvider.LOGON32_PROVIDER_DEFAULT);

if (null != impContext)
{
try
{
File.Copy(FILE_NAME,REMOTE_FILE_NAME);
} //end try
catch (Exception ex)
{
//Response.Write(ex.Message);
throw(ex);
} //end try
finally
{
// Finally we have to revert the impersonation.
impContext.Undo();
File.Delete(FILE_NAME);
} //end finally
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl May 31, 2005 @ 1:15pm
Local network shares won't work unless you defined the share in your app. The share exists in the interactive session (the desktop), but not in the session that is running ASP.NET (NETWORK SERVICE). You need to use UNCs or explicitly create the share from your app (in Application_Start or a static constructor maybe).
# re: Using programmatic Impersonation from an ASP.NET Page
by stardawg May 31, 2005 @ 1:20pm
Sorry for the confusion, I am using UNCs:

string REMOTE_FILE_NAME = @"\\remoteServer\BIER\BIER_PrintService\Queues\HTML\TEST.html";
string FILE_NAME = @"\\localServer\images\test.html";

No problem accessing UNC on the local server (XP development box), but I get the access denied error when trying to access the remote server(win 2k server).

BTW
Thanks for the help and the quick responses :)
# re: Using programmatic Impersonation from an ASP.NET Page
by Geof June 01, 2005 @ 3:11pm
Accessing network resources using impersonation is much more difficult (well, it's not hard to do, but it's tricky to troubleshoot). This would include SQL Server databases on a different machines, as well as file shares on other machines.

To do this requires a technique called "delegation", which is like impersonation except that the ASP.NET process now has to convince a -second- machine to act using the user's account.

You can find information on this with Google "trust for delegation" or similar. Not all accounts are allowed to delegate, and some accounts can't be delegated.

The reason for this is that an evil web designer could create a web page using impersonation that checked to see if the user happened to be a superadmin, then use that user's account to grant the web designer superadmin priveleges, and the admin would never be the wiser.
# re: Using programmatic Impersonation from an ASP.NET Page
by stardawg June 03, 2005 @ 10:14am
Thanks for the info!
# re: Using programmatic Impersonation from an ASP.NET Page
by Sathya June 23, 2005 @ 9:01pm
This is indeed great article.
Rick, Is there anyway I can automatically take user name who logged in to the system, This way I do not have to supply password. And also I do not need to supply the password whenever I change my AD password.
# re: Using programmatic Impersonation from an ASP.NET Page
by tman July 12, 2005 @ 1:20pm
Ok I'm not sure why this is not working in the way I need it to. I used this pretty much exactly as is then launched a command prompt and did a whoami as follows:

ImpersonateLoggedOnUser(lnToken); ProcessStartInfo psInfo = new ProcessStartInfo("cmd.exe");
psInfo.UseShellExecute = false; psInfo.RedirectStandardOutput = true;
psInfo.RedirectStandardInput = true;
psInfo.RedirectStandardError = true;
Process pBatch = Process.Start(psInfo);
StreamReader srOutput = pBatch.StandardOutput;
StreamWriter sWriter = pBatch.StandardInput;
sWriter.WriteLine(@"date /t"); sWriter.WriteLine(@"whoami");

Yet the output of the whoami still shows Network Service as the user. I need this command prompt to be running as the account i'm attempting to impersonate. Any ideas?
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl July 12, 2005 @ 1:22pm
The logon is essentially a new session - you won't see this outside of the running process.
# re: Using programmatic Impersonation from an ASP.NET Page
by tman July 12, 2005 @ 1:28pm
In that case how would one launch a command prompt as user XYZ from an asp.net app, where a whoami command would correspond to the specified user. I've tried several methods for this with no luck, any ideas?
# re: Using programmatic Impersonation from an ASP.NET Page
by tman July 13, 2005 @ 10:20am
I was under the assumption that if i was impersonating an account and launched a process that the process would be running under that impersonation account. Yet this is not the case it still reverts back to Network Service, I really need a solution to this. Anyone worked through this type of thing before?
# re: Using programmatic Impersonation from an ASP.NET Page
by aone999 July 15, 2005 @ 9:09pm
Iam facing a related problem.

In an ASP.Net page, iam instantiating a COM component. The COM component reads info from the HKCU reg key and populates it's properties.

Now, since ASPNET account doesnot have any keys under HKCU, this COM component fails. So, I decided to use impersonation.

I impersonated the ASPNET account to a known windows account (in web.config). However, the COM component still fails.

Interestingly, if i make the impersonation in machine.config, the COM component works perfectly, using the profile of the impersonated account. But i don't want to do this, as it is a global change and affects all the web applications on this machine.

Any suggessions?
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl July 15, 2005 @ 9:26pm
You can't overrride the Windows account used for the process in web.config because - it can only be set in machine.config. In fact, you should get a failure if you do. You CAN do this on Windows 2003 Server by configuringing the Application Pool to run under a specific account. Win3k ignores this setting and uses the Application Pools identity.



# re: Using programmatic Impersonation from an ASP.NET Page
by tman July 19, 2005 @ 1:20pm
Creating a new application pool and using the configurable identity setting to specify the particular user worked like a champ. The only additional thing that was needed was adding that user to the IIS_WPG group. Thanks.
# re: Using programmatic Impersonation from an ASP.NET Page
by Greg July 21, 2005 @ 2:07pm
OK - my situation is slightly different. I need to copy files to the local machine, then to a machine on the local network then to several servers on a different domain completely (a file sprayer of sorts). I can copy to the local machine and local network but not to the outside domain. I can use windows explorer to go directly to these outside domain boxes, i can ping them and use DOS to xcopy files directly to them. With C#/Asp.net I get permissions errors. Is there a way to impersonate a user on the outside domain since i have the user, pass, and domain credentials?
# re: Using programmatic Impersonation from an ASP.NET Page
by Dean Dalby August 02, 2005 @ 7:02pm
To be able to login to the SQL server we explicitly call the LogonUser function from the advapi32.dll then open a SQL Connection using the Integrated Security=true property. When you look at SQL Profiler it seems that there is two logon calls made when the connection is opened. One for the ASP.NET machine account and one for the user that we impersonated using the LogonUser function. Does anyone know why this happens? And how to avoid it?

Any additional information that may help explain the two logon calls would be much appreciated.

Thanks in advanced
Dean Dalby
# re: Using programmatic Impersonation from an ASP.NET Page
by bala August 27, 2005 @ 6:14pm
Hi

I have an aspx page with download button on my server. When the user clicks that download button, I am trying to download the file (PDF) from my network machine which is under same domain. I am getting this attached error message. I have given all the permission to folder which all the PDF files stroed . I try to ImpersonateUser that user account, that part working fine. after the impersonate, its giving the login failure problem.

Any idea to resolve this.

Here is the code which i am using for downloading the file.


Code:
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim path1 As String = "\\machine02\temp\test.pdf"
Dim name As String = Path.GetFileName(path1)

Dim ext As String = Path.GetExtension(path1)
Dim type As String = ""
If Not (ext Is Nothing) Then
Select Case ext.ToLower
Case ".htm", ".html"
type = "text/HTML"
' break
Case ".txt"
type = "text/plain"
' break
Case ".doc", ".rtf"
type = "Application/msword"
' break
Case ".pdf"
type = "Application/pdf"
End Select
End If
'If forceDownload Then
Response.AppendHeader("content-disposition", "attachment; filename = " + name)
'End If
If Not (type = "") Then
Response.ContentType = type
End If
Response.WriteFile(path1)
Response.End()
End Sub

Thanks
Bala
# re: Using programmatic Impersonation from an ASP.NET Page
by Wei August 31, 2005 @ 12:36pm
I tried using this impersonating method in a win app as well as a asp.net app with no luck in accessing the network share folder. Though the impersonation worked perfectly but when accessing the fold I still get "incorrect password" error message. But if I map to the folder using the same credential I can access the files using UNC path. Any idea why ?
# re: Using programmatic Impersonation from an ASP.NET Page
by Mahendra October 13, 2005 @ 9:35pm
i try to read log file from remote computer. i get a Access Denied error. but logfile folder having all the privillages. and i am also log as an administrator

here is my code

int TResult = LogonUser("administrator", "domain", "pwd", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, out lnToken);
if (TResult > 0)
{
ImpersonateLoggedOnUser(lnToken);
StringBuilder sb = new StringBuilder(80, 80);
DirectoryEntry root = new DirectoryEntry("IIS://server/W3SVC","administrator","domain","pwd",AuthenticationTypes.Secure);
foreach (DirectoryEntry ent in root.Children)
{
if (ent.SchemaClassName == "IIsWebServer")
{
Response.Write(ent.Properties["ServerComment"].Value.ToString());
}
}
RevertToSelf();
Response.Write("<hr>" + Environment.UserName + " - " + this.User.Identity.Name + "<hr>");
CloseHandle(lnToken);
}
else
{
Response.Write("Not logged on: " + Environment.UserName);
}
return;
# Using programmatic Impersonation fo accessing LAN web application
by Fi October 18, 2005 @ 12:08am
Hi, can anyone help me in this regard. I programmatically impersonnated a user on my network, but when i tried to access the web application on my LAN a pop-up window comes up asking to give username password and domain .
My brief code is below,

WindowsImpersonationContext wic = CreateIdentity(User_Alias, Domain, Password).Impersonate();

webBrowser1.Navigate("http://machineName/app");

wic.Undo();


I don't want this window to pop-up , and access the web application by the impersonated user. Plz.Help


# re: Using programmatic Impersonation from an ASP.NET Page
by Achutha Sundar October 21, 2005 @ 2:24am
I am trying to run exe from ASP.Net through process.start. It works on my laptop with XP but not on windows server 2003 SP1 with Sharepoint. As you have suggested I have identity impersonate="true" in my web.config file. I also modified machine.config file ProcessModel username="SYSTEM" on the windows 2003 server. Can anyone help?

# re: Using programmatic Impersonation from an ASP.NET Page
by Shane Hale MCSE October 27, 2005 @ 4:49pm
Hello,

You guys are all working at a much higher level than me, but I was wondering if one of you could help me out with a sample peice of code to get me on my way.

I dont wish to elevate priveledge or impersonate anything. I work for a charter school as a administrator and we are filtering student web access using IAS. What we want to do is give the kids a little something to think about when they attempt to access filtered content and are redirected to the access denied page.

We want to put the logged on username and pcname & ip in message returned to them in the page, letting them know the attempt and thier username was logged. I thought I could do this easily just doing:
<%
Response.Write Request.ServerVariables("REMOTE_HOST")
Response.Write Request.ServerVariables("REMOTE_USER")
Response.Write Request.ServerVariables("REMOTE_ADDR")
Response.Write Request.ServerVariables("LOGON_USER")
%>

But alas even though I am trying to get the info from machines on a LAN that I administer, the only info returned was the IP.

I realize this is a security measure with modern servers to protect our info on the internet but on the LAN we (administraors) should have authority.

At any rate, the subject of this thread seems like it could be used (or something simular) to get the info I want to return. However I only have a basic understanding of ASP and no real ASP.NET experience. Any help or a referral in the right direction would be greatly appreciated.

Shane Hale MCSE
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl October 27, 2005 @ 11:33pm
HTTP provides only access to a few things, and those things won't stop a hacker since the browser sends these things and they can be overridden completely by a custom HTTP client.

You can do DNS lookups of IP Addresses to get machine or server names if they are registered in DNS.
# re: Using programmatic Impersonation from an ASP.NET Page
by Shane Hale MCSE October 28, 2005 @ 5:16am
Thanks for the tip. The machines are in fact registered in DNS and the users are logged into the AD. Do you have any suggestions where I could go to find an example of how to do what you are suggesting? Thanks for your response.
# re: Using programmatic Impersonation from an ASP.NET Page
by Arlean November 09, 2005 @ 5:50pm
Hi,

Even I put <identity impersonate="true" userName="User" password="password"/> in web.config, when calling a batch file from an asp.net page, the batch file is still run under ASPNET account. Actually before calling batch, I checked the environment.username on .net page, it is ¡°user¡± not ¡°ASPNET¡±.

The test batch file:

echo %time% >test.txt

echo %username% >> test.txt

In test.txt the username is always ASPNET.

Anybody knows if there is a way to run batch file under a user account other than ASPNET?

I'm thinking to call "CMD.EXE" then run "runas" command to change user. However, runas will prompt to input user password. Can we start an interactive mode from asp.net?

Thanks in advance for any help,

Arlean

# re: Using programmatic Impersonation from an ASP.NET Page
by Jon C November 11, 2005 @ 8:21am
Great work on this article. It answered my "impersonation across the session" question.

But I am not sure how I can use impersonation to access NTFS protected files like .gif and .jpg, resources that cannot be impersonated. But need impersonation to access them.

Can you point me in another direction?!

Thank you.
# re: Using programmatic Impersonation from an ASP.NET Page
by Gosha Kuciy November 13, 2005 @ 6:23am
Hi! I found your site <A HREF="http://google.com">here">http://google.com">here
</A> [ http://google.com ]
When you look at SQL Profiler it seems that there is two logon calls made when the connection is opened. One for the ASP.NET machine account and one for the user that we impersonated using the LogonUser function. Does anyone know why this happens? And how to avoid it?


# re: Using programmatic Impersonation from an ASP.NET Page
by stuki November 15, 2005 @ 3:29am
hi,
I'm using impersonation because i've had a problem with creating files on localhost. On the other side I have peace of code which creates win process, starts it and stops it. When I use impersonation, that code doesnt work (I can not start or stop the process). When I shut impersonation, I have problem with accessing the files (Access is denied)
Anyone can help?
Thanks in advance
# re: Using programmatic Impersonation from an ASP.NET Page
by Benihana December 13, 2005 @ 1:44pm
I'm getting back:
Page User ID is Authenticated: True
Page User ID Authentication Type: NTLM
Page User Id Name: Domain\Username
Environment Username: SYSTEM
Environment User Domain Name: NT AUTHORITY

Strange, I don't see NETWORK SERVICE anywhere. I'm getting this info by: Page.User.Identity.Name.ToString & "<BR>Environment Username: " & Environment.UserName.ToString & "<br>Environment User Domain Name: " & Environment.UserDomainName.ToString etc.

It scans the local server fine, but any other server says "Access Denied". I tried everything. Hope you can help Rick!
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl December 13, 2005 @ 1:53pm
What version of IIS are you running? If you're running IIS 5 then your underlying system account is SYSTEM and it's not configurable.

In IIS 6 the OS account is configurable - and if you're running IIS 6 you might have your APplication Pool set to the Local System impersonation.
# re: Using programmatic Impersonation from an ASP.NET Page
by kenneth Roach December 27, 2005 @ 5:47am
When I run the following code I only get the machiene drives not the netowork mapped drives
could anyone help??



IntPtr lnToken;
int TResult = LogonUser("username","domain","Password",
LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,
out lnToken);
if ( TResult > 0 )
{
ImpersonateLoggedOnUser(lnToken);
StringBuilder sb = new StringBuilder(80,80);

uint Size = 79;
Response.Write( Environment.UserName + " - " + this.User.Identity.Name + "<hr>");
string[] drives = Environment.GetLogicalDrives();
// Response.write("Available drives:");
foreach(string drive in drives)
Response.Write(drive);
// Console.ReadLine();


RevertToSelf();
Response.Write("<hr>" + Environment.UserName);

CloseHandle(lnToken);
}
else
{
Response.Write("Not logged on: " + Environment.UserName);
}
# re: Using programmatic Impersonation from an ASP.NET Page
by ClickOk January 03, 2006 @ 7:28am
Hi

I'm doing one file manager in ASP.Net. I put permissions to read/write some folder. I can create files, but I can't delete! I can resolve this with this web.config aproach?
# re: Using programmatic Impersonation from an ASP.NET Page
by TomekR January 10, 2006 @ 3:09am
Hi !

Anyone has idea, why above code doesn't want to work on W2K and IIS5, but deployed on W2K3 & IIS6 works exactly as described ?
I mean, on IIS5 LogonUser returns 0.

I both cases the same user/passw is configured and defined to be used. Also exactly the same web.config is used.
# re: Using programmatic Impersonation from an ASP.NET Page
by bit January 12, 2006 @ 4:41am
good stuff
# re: Using programmatic Impersonation from an ASP.NET Page
by TomekR January 12, 2006 @ 6:49pm
The reason why the code above won't work on W2K (IIS5 has nothing to do wit it) is the fact, that on W2K system process calling LogonUser function has to have special right i.e. SE_TCB_NAME privilege.
To make ASPNET or IUSR_xxx user has this right, one need to:
1.
Open "Administrative Tools | Local Security Policy" and then double-click on "Local Policies".
2.
Open "User Rights Assignment" and then double-click on "Act as Part of the Operating System".

Add the wanted account to do list.
# re: Using programmatic Impersonation from an ASP.NET Page
by Baskaran Ammamuthan January 20, 2006 @ 3:03am
I was trying to create a file in network shared folder using filestream object. I followed all your steps. It is changing enviromnent user name in the order ASP.NET, myusername, ASP.NET. I am getting error access denied. My user account has privillage to create/modify privillage.
# re: Using programmatic Impersonation from an ASP.NET Page
by bestcomy January 25, 2006 @ 6:37pm
maybe this is a right article for all of you
http://www.codeproject.com/csharp/ZetaImpersonator.asp

NOTE: you should add domain user as a local administrator if you want to copy a local file to a network shared folder.
# Read and display the current logged on username
by Abs March 01, 2006 @ 12:25pm
Hi,

I hope someone can help. I don't need to use pass through to authenticate my application. I just want to be able to save the username into a variable for later use, for example when a user submits a form, I want to record the username who made the change. How can I do thi?
# re: Using programmatic Impersonation from an ASP.NET Page
by Aaron Ramirez March 14, 2006 @ 8:17am
All good and fine, one thing that I saw reading the posts, is that the pinvokes won't work on win2000 due to security restrictions. Also what some of you may have missed in attempting to get the impersonation to take place in a web app, is in the web.config you must make sure that <identity impersonate="false"/> or you will get access denied error message. Also impersonating a user does not change the account under which a asp.net page/request runs, Page.User is readonly and is locked into the user that is currently logged into windows if you are using windows auth. There is good P&P article @ MSDN to explain all the different combos of auth and impersonation(and security in general): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
# Accessing Shared Folders in ASP.NET
by Agnel CJ Kurian March 21, 2006 @ 2:57am
# re: Using programmatic Impersonation from an ASP.NET Page
by ms hater April 25, 2006 @ 4:27am
Fuckin' shit Microshit Impersonate Fuck bullshit is wasting my fucking time.
# re: Using programmatic Impersonation from an ASP.NET Page
by mahesh April 26, 2006 @ 2:36am
I implemented the above impersonation by using debugger i was able to trace the out put. Actually the impersonation is done but i was not able to access the files on the network machine.
The permissions are assigned the user through which impersonation is done.

Although the current thread is impersonated it is throwing access denied exception what may be the problem. on the network machine i assigned full rights to the user.
# re: Using programmatic Impersonation from an ASP.NET Page
by Fried Egg May 05, 2006 @ 4:12am
Does anyone have a VB version of this code?
# re: Using programmatic Impersonation from an ASP.NET Page
by paresh May 25, 2006 @ 4:45am
How can I copy to a machine in a different domain?

If it is in the same machine or same domain it works fine but fails when the domain is different.

Any thoughts?

TIA,
Paresh
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl May 25, 2006 @ 10:46am
You can't unless the account running IIS has permissions on that remote machine. You need to create an account on that domain that matches or otherwise adjust the security so that the ASP.NET machine/account has access.

If you can't you're SOL.
# re: Using programmatic Impersonation from an ASP.NET Page
by Simply Si June 12, 2006 @ 10:07am
This is a useful article although i was wondering if you could help me further. I have a web application of which i need to determine the Windows Logon for the current user. The web application web.config has the following setting:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
The web server is running IIS and has the following settings. Anonymous Access is enabled and Integrated Windows Authentication is disabled.
What i need to return is the domain/username, so it returns the actual user like john.smith of mydomain/js.
Initially i have created a seperate directory in the solution with an aspx page an a seperate web.config with <identity impersonate="true"/>. Will this give me what i am looking for?
# re: Using programmatic Impersonation from an ASP.NET Page
by Salah July 19, 2006 @ 3:00am
Why i got blank page when running the code of this article?
# re: Using programmatic Impersonation from an ASP.NET Page
by k03123 August 10, 2006 @ 7:37pm
Hi Rick,

How does firewall affect impersonation? well, i have written a program which authenticates a user using ldap and stores the user password in session variable. for any action required - add/edit/delete of files, i am supplying the user name, domain and saved password. am able to access network resources as well but when i moved the program to production server, which is apparently outside the firewall, it can't impersonate. network resources are inside the firewall.

is it possible at all to do impersonation between firewall? maybe by opening ports? any help appreciated.
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl August 10, 2006 @ 8:00pm
It depends on the firewall. If the firewall strips authentication information then no it's not going to work. However, most proxy type firewalls shouldn't strip this information and so request should continue to work.
# re: Using programmatic Impersonation from an ASP.NET Page
by k03123 August 10, 2006 @ 11:23pm
Thanx Rick.

I appreciate your response. I will have a chat with system administrator and see how it goes.
# re: Using programmatic Impersonation from an ASP.NET Page
by Vazeem August 13, 2006 @ 10:36pm
Hi Rick,
I have a situation here.
My Web applciation is running on two servers parallel for the purpose of NLB. Application needs to read/write files from local folders. since I cant put the files on both servers(it will replicate the data), I decided to create folders in my primary server and create a Network map drive on both servers with the same drive letter pointing to the folders in the primary server. Since NLB server will redirect the request to any of the two server, this is the only way i found. But now problem is ASP.NET is not able find the network drive, it throws the exception that Directory not found.
If I use IP Address instead of Network drive, it works fine. But I cant use it the reasone being, in case of any hardware failure switching the IP address is difficult....

Forgot to mention, my application is only an "Intranet" application.
Please suggest me any alternative...
# re: Using programmatic Impersonation from an ASP.NET Page
by cbv August 14, 2006 @ 2:13am
Hi Rick,

What is the differance between Impersonation and changing the "userName in ProcessModel" tag? Effectively, whether we change the useName in ProcessModel, or make the application Impersonatate, we are achieving the same thing right?
# re: Using programmatic Impersonation from an ASP.NET Page
by mk November 01, 2006 @ 2:42am
i changed the machine.config file which is at C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG and in the processModel tag changed the username to "system" and password to "AutoGenerate"..as a result of this the ASP.NET process does run as a system process...that is if i put these test lines in the code..

string usr1=System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string usr2 = System.Environment.UserName;

as a result of this
usr1=@"NT AUTHORITY\SYSTEM"
and usr2="SYSTEM"

But,still the ASP.NET code (C# code behind)doesnt seem to have all the privelidges ..for eg..when i do

System.Collections.IDictionary all_vars=System.Environment.GetEnvironmentVariables();

then,the ASP.NET code doesnt show the environment variables which i have manually created beforehand,while a simple C# code shows all the environment variables..similarly there are many cases where ASP.NET cant perform the expected task whereas a simple C# script does it....

any solutions to this???
# re: Using programmatic Impersonation from an ASP.NET Page
by Andrew November 07, 2006 @ 1:02pm
We use identity impersonate in our web.config to access a file share via UNC - Which works fine if the share is in the same domain.

However, we want to access a share in a different domain, but when we specify an account in the local domain that matches an account and password in the remote domain, we still get an invalid path or file name from System.Data.OleDb.OleDbException (we're trying to access a data source on the remote domain)

I noticed you mentioned that it may be possible to do that programatically if the accounts match ID and password... But is it possible to do it in the web.config, as we are trying to do..? Since we cannot modify the source code of the application... Our only option is in the web.config.

We've also tried using a local account (instead of a domain account) that matches the remote domain account a password with similar (failed) results.

Any thoughts or suggestions much appreciated! :)
# re: Using programmatic Impersonation from an ASP.NET Page
by Rick Strahl November 07, 2006 @ 1:31pm
Depends on the machine.config configuration. By default the account information is locked down so you can't change it web.config level.

On IIS 6 the machine account is determined by the IIS Application Pool Impersonation, and that can't be overridden as far as I know.
# How to pass Username and password when accessing Network Folder
by Sumit November 08, 2006 @ 6:04am
hi i am developing a windows service that will pick file from a Network folder so i want how to pass Username and Password in order to access that Folder.
# re: Using programmatic Impersonation from an ASP.NET Page
by Andrew November 08, 2006 @ 9:05am
Hi Sumit... If you scroll up to the top of this page and read the article... That's pretty much what the article tells you how to do! Since it's basically about impersonating a user.. You'd just impersonate the account that has the rights to that folder. I think it should work for a service just as well. :)
# Understanding ASP.NET Impersonation Security - Rick Strahl's Web Log
by Rick Strahl's Web Log November 12, 2006 @ 10:56pm
Understanding how ASP.NET's internal security works is important if your application needs to access resources on the local machine. Specifically it's important to know exactly which account your ASP.NET application is running under. This entry reviews different ways of how this account is affected by different versions of Windows, and ASP.NET configuration.
# Google Groups: microsoft.public.dotnet.framework.aspnet
by microsoft.public.dotnet.framework.aspnet Google Group November 13, 2006 @ 12:28am
# Israel Aéce
by Israel Aéce January 03, 2007 @ 5:59am
# ASP.NET Forums - writing files
by Security January 12, 2007 @ 5:50am
# ASP.NET Forums - Programmatic impersonation
by Security January 16, 2007 @ 10:02am
# ASP.NET Forums - accessing network share using C#
by Web Forms January 19, 2007 @ 7:10am
# re: Using programmatic Impersonation from an ASP.NET Page
by Damian January 25, 2007 @ 1:29am
Can this procedure be implemented to control access to non-asp.net files within the website (i.e... word document, excel files, images)? In other words, can I prevent users from accessing the above files with URLs by using the above procedure?

Thanks,

Damian
# ASP.NET Forums - what is Impersonation
by Security February 15, 2007 @ 2:51am
# re: Using programmatic Impersonation from an ASP.NET Page
by Josh February 27, 2007 @ 9:28am
ok; it appeared to work i.e. I could run the code and when viewing the Environment.UserName it was showing the new impersonated username - sweet.

BUT when trying to connect to a remote db using a trusted connection it fails with the error 'NT AUTHORITY\ANONYMOUS LOGON'.

Any ideas?
# ASP.NET Forums - credentials and impersonation
by Getting Started March 20, 2007 @ 2:30am
# ASP.NET Forums - Access denied error
by Installation and Setup April 18, 2007 @ 5:20am
# Scott Hanselman's Computer Zen - Avoid using Impersonation in ASP.NET
by Scott Hanselman's Computer Zen May 02, 2007 @ 11:38pm
Scott Hanselman on Programming, User Experience, The Zen of Computers and Life in General
# accessing network share using C# - ASP.NET Forums
by ASP.NET Forums May 18, 2007 @ 1:59am
# writing files - ASP.NET Forums
by ASP.NET Forums May 22, 2007 @ 3:13am
# Access denied error - ASP.NET Forums
by ASP.NET Forums May 23, 2007 @ 1:29pm
# Programmatic impersonation - ASP.NET Forums
by ASP.NET Forums June 04, 2007 @ 2:27am
# re: Using programmatic Impersonation from an ASP.NET Page
by gazeteler June 30, 2007 @ 10:33am
i try to read log file from remote computer. i get a Access Denied error. but logfile folder having all the privillages. and i am also log as an administrator

here is my code

int TResult = LogonUser("administrator", "domain", "pwd", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, out lnToken);
if (TResult > 0)
{
ImpersonateLoggedOnUser(lnToken);
StringBuilder sb = new StringBuilder(80, 80);
DirectoryEntry root = new DirectoryEntry("IIS://server/W3SVC","administrator","domain","pwd",AuthenticationTypes.Secure);
foreach (DirectoryEntry ent in root.Children)
{
if (ent.SchemaClassName == "IIsWebServer")
{
Response.Write(ent.Properties["ServerComment"].Value.ToString());
}
}
RevertToSelf();
Response.Write("<hr>" + Environment.UserName + " - " + this.User.Identity.Name + "<hr>");
CloseHandle(lnToken);
}
else
{
Response.Write("Not logged on: " + Environment.UserName);
}
return;
# credentials and impersonation - ASP.NET Forums
by ASP.NET Forums July 05, 2007 @ 7:49am
# re: Using programmatic Impersonation from an ASP.NET Page
by gino_bili July 06, 2007 @ 9:24am
This is from a comment from 2005 but was not given a response. I am having similar problem. Is there anyway I can automatically take user name who logged in to the system, This way I do not have to supply password?
# re: Using programmatic Impersonation from an ASP.NET Page
by Striking Knife July 14, 2007 @ 9:54am
Beautiful Article Hats off to you excepting more good articles From U
# re: Using programmatic Impersonation from an ASP.NET Page
by Twood September 18, 2007 @ 11:26am
This is a great article, unfortunately for me I need it in VB. I converted it, but only ended up with a blank page that won't hit the page_load breakpoint, so I have no idea how much (if any) is getting done.

My entire site uses a web.config with forms based authentication. When I try and specify windows based inside a subfolder, the compiler throws an error. I want to keep everything together in one project, and don't want to have to resort to splitting it into another virtual dir.
# Using Impersonation in an application to verify folder permissions
by Torving November 18, 2007 @ 8:06am
Thanx for a great article.
In your article you write
"You can also impersonation system accounts like SYSTEM and NETWORK SERVICE which don't require passwords (pass "" for the password), but most likely these accounts are not what you need to get your job done - for example access another machine on the network."

My question to you is, how do i impersonate the built-in account NETWORK SERVICE.

I need to find a way to verify if the built-in system account "NETWORK SERVICE" has read and write rights to a specific folder, and a thought that if I could Impersonate the account then I could perform the nessary file operations as that user and thereby determine if the user has the nessary rights on the folder.

Hope i make sense, and that you can find the time to answer me.

Best Regards

Michael T.
# re: Using programmatic Impersonation from an ASP.NET Page
by Otto November 21, 2007 @ 1:23pm
Rick, how about connecting to a network printer not installed on the IIS server, but just installed on a server on the network or shared by a user's computer?

Great article, thanks so much.

Otto.
# re: Using programmatic Impersonation from an ASP.NET Page
by Bhushan Danej March 22, 2008 @ 8:35am
Hi there,

The information on this page is brilliant.

I am also facing some IIS account heck, and dying to get it worked with already provided solution.

I have got a Web service, which calls a C++ DLL. C++ DLL calls a COM component, which is on another server.
Now while accessing the COM, I am getting "Access is denied" error. But if I run same C++ code from any development environment ( Not under IIS ) it works.

somewhere in this page, its written that I need to Impersonate ASPNET account. But still after adding impersonate = true in Machine.config and web.config, nothing is working.

It must be a simple configuration somewhere, but not getting proper direction.

Can someone help.
# clone dvd
by clone dvd March 23, 2008 @ 6:07pm
Register SIP phone (DPH- 140S) to Asterisk Make Skype call from internet to SIP phone Make SIP phone call to Skype Register DVG- 6004S to Asterisk Make outgoing calls to PSTN via DVG- 6004S Receive incoming calls from PSTN via DVG- 6004S Make Skype call from internet to PSTN line via DVG- 6004S Connecting DVG- 6004S The router to internet is properly setup and have access to the internet. The router shall also provide DHCP service. The PC with Asterisk and ssgwpe is properly setup and connected to the router. ...
# re: Using programmatic Impersonation from an ASP.NET Page
by Enigma March 25, 2008 @ 11:03am
Hi All,

I also tried Impersonation with asp.net and it is successful.
now i want to create a file on a network location with the impersonated credentials..I am providing proper UNC path but it cannot read or write to my network share folder. When i try to create a file, its says file \\servername\sharepath\file.doc cannot be created.

Can any one help please. its urgent

Thanks
# re: Using programmatic Impersonation from an ASP.NET Page
by Tired of Impersonation Mania April 30, 2008 @ 5:07pm
@Enigma
Go to this URL buried in the comments: http://corner-house.blogspot.com/2006/03/accessing-shared-folders-in-aspnet.html

I successfully implemented accessing a remote share and my ASP.NET pages are reading/writing files like champs.
# You love to shop?
by You love to shop? May 19, 2008 @ 5:48pm
Check out great daily deals!
# free dvd copy
by free dvd copy June 29, 2008 @ 1:27am
I have the same problem as Lauretn. I have a USB data cable but I don\'t have its driver, I checked the instructions and I found that it need a driver (SER9PL. INF) and it can be found in the http:// tech. prolific. com. tw/ So I cheched the link but it does not work proparly and face some error in accesing inside this link, and can not find the file. Please direct me to the right link where I can find this file.
# decoders for dvd
by decoders for dvd June 29, 2008 @ 3:09am
Square Enix’ s“ White Engine,” now renamed the Crystal Tools, has been confirmed for work on platforms of PS3, XBox 360 and PC. Also they did announce that they will be using a dumbed down version of Crystal Tools for the Wii Platform. They also showed a trailer for FFXIII. They displayed some gameplay of the lighting effects and stunningly left everyone with a big WOW. They also attempted to quite the corss platform talk of this release, because at the end of the trailer there was a screen saying“ ...
# decrypt dvd movie
by decrypt dvd movie June 29, 2008 @ 5:05am
So component A which lives in the dll and namespace Com. Hertkorn. Infrastructure. ComponentA and component B which lives in the dll and namespace Com. Hertkorn. Infrastructure. ComponentB should share types. Ideally their shared types live in a component Com. Hertkorn. Infrastructure. SharedTypes. dll but the root namespace should differ. I would argue the root namespace should be Com. Hertkorn. Infrastructure. That way a subdirectory ComponentA or ComponentB would result in a namespace complementing the...
# dvdshrink
by dvdshrink June 29, 2008 @ 7:14am
Drivers blow their horns constantly, mostly to alert others that they are passing. A four lane road is treated as though it has 6 lanes, a two lane road like it has 3 or 4. It is not unusual to see drivers barrelling up the road on the wrong side of the street, directly into oncoming traffic. This does not seem to bother the drivers who are faced with a head- on collision… they never slow down, though they may move thier vehicle over 2 or 3 feet to avoid the head on collision at speed.
# decrypter for dvd
by decrypter for dvd June 30, 2008 @ 4:05am
scan IP address , scan your TCP/ UDP ports , scan several specifically popular TCP/ UDP ports.
# how to record from dvd
by how to record from dvd June 30, 2008 @ 6:04am
alphabetically. However some of the topics are general such as“ Shutdown problems” while others are very specific such as“ sh31w32. dll.” Once you select a topic you’ ll be shown a variety of resources ranging from Microsoft Knowledge base links to simple fix- it guides. Overall, an excellent trouble- shooting resource.
# best dvd burning software
by best dvd burning software June 30, 2008 @ 2:02pm
First real obsessive banging the machine was with Street Fighter 2, watching with rapt attention as the local stoner (our guru) talked me thru the special stances taken to get that perfect with a Ryu or Ken type (see champion and/ or cheater). This was lost on me because I was certainly the E. Honda/ Dhalsim type (see foreigner in a foreign land), and proceeded to lose for the four odd years that my local convience store carried the original edition. I did buy pot from our guru (thus providing his money for...
# www.FreeRegistryCleanerScan.com
by www.FreeRegistryCleanerScan.com July 09, 2008 @ 5:12pm
Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE- 2006- 1314.
# game coping software
by game coping software July 10, 2008 @ 8:23am
More Photos/ Subscribe Via Email Subscribe To ORKUT An Epitome: Linux Rocks by Email/ Special Days An error has occurred; the feed is probably down. Try again later. / Page Content About About Orkut Fedora 8: Guide Orkut Security Orkut Tips & Tricks Pc Basics Social Services Suse 10. 3: Guide Ubuntu 7. 10 Guide/ THE WORLD MP3\'s The World: Global hit- Nigeria Special The World: Global hit- Selim Sesler The World: Global hit- Umm Kulthoum The World: Global hit- Torture Playlist The World: Global hit- The Shams...
# i m too dvd ripper
by i m too dvd ripper July 10, 2008 @ 9:05am
Browser Speed Your browser uses the Domain Name Server (DNS) you listed in your network settings to resolve common domain names (yadda. com- no“ www”) to IP addresses, the real address of a web site. However, this DNS server may be a few hops away from your location on the Internet. That means it takes a bit more time to reach the site you want to surf than it might take if, say, the IP address was listed somewhere on your machine. That’ s exactly what this tweak does- adds the IP address of your most surfed...
# Impersonation NT AUTHORITY\SYSTEM
by Irene August 04, 2008 @ 1:23am
Please, help me!
I'm trying to create an exe file using IExpress.
I create .sed file correctly (newsedfile parameter in the sub below), but then my following code (that implements impersonation with user NT AUTHORITY/SYSTEM) throws the error "Access is denied" and I don't undestand why!
Windows 2003R2 SP1 or Windows XP SP3; .net framework 2.0
That's All Folks! Thank you a lot!
Irene

private static void createEXE(string newsedfile)
{
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);

try
{
const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;
const int SecurityImpersonation = 2;

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser("SYSTEM","NT AUTHORITY","",
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);

if (false == returnValue)
{
int errorCode = 0x5; //ERROR_ACCESS_DENIED
throw new System.ComponentModel.Win32Exception(errorCode);
}

bool retVal = DuplicateToken(tokenHandle, SecurityImpersonation, ref dupeTokenHandle);
if (false == retVal)
{
CloseHandle(tokenHandle);
throw new ApplicationException("Exception thrown in trying to duplicate token.");
}

// The token that is passed to the following constructor must
// be a primary token in order to use it for impersonation.
System.Security.Principal.WindowsIdentity newId = new System.Security.Principal.WindowsIdentity(dupeTokenHandle);
System.Security.Principal.WindowsImpersonationContext impersonatedUser = newId.Impersonate();

System.Diagnostics.Process p = new System.Diagnostics.Process();

// cfr. http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/iexpress.mspx?mfr=true
/* p.StartInfo.Domain = @"NT AUTHORITY";
p.StartInfo.UserName = @"SYSTEM";
System.Security.SecureString pwd = new System.Security.SecureString();
foreach (char c in "")
pwd.AppendChar(c);
p.StartInfo.Password = pwd; */
p.StartInfo.FileName = "iexpress.exe";
p.StartInfo.Arguments = "/N /Q " + newsedfile;
p.StartInfo.UseShellExecute = false;
//p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;

if (p.Start())
{
p.WaitForExit();
}
else
{
throw new Exception("IExpress has not started");
}
// Stop impersonating the user.
impersonatedUser.Undo();
}
catch (Exception exc)
{
throw exc;
}
finally
{
// Free the tokens.
if (tokenHandle != IntPtr.Zero) CloseHandle(tokenHandle);
if (dupeTokenHandle != IntPtr.Zero) CloseHandle(dupeTokenHandle);
}
}
# re: Using programmatic Impersonation from an ASP.NET Page
by nipun September 09, 2008 @ 4:15am
Hey rick
I am developing an application which uses exchange server 2007. I have created a web service on the remote m/c where exchange server is installed and then using command prompt i am running powershell scripts here's code snap
string command = "powershell.exe \"& 'D:\\Documents and Settings\\Administrator\\Desktop\\exchange2007\\test.ps1'\"";
System.Diagnostics.ProcessStartInfo procStartInfo =
new System.Diagnostics.ProcessStartInfo("cmd","/c "+command);

// The following commands are needed to redirect the standard output.
// This means that it will be redirected to the Process.StandardOutput StreamReader.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.StartInfo = procStartInfo;
try
{
proc.Start();
}
catch (Exception ex)
{

}
// Get the output into a string
while (!proc.StandardOutput.EndOfStream)
{
result += proc.StandardOutput.ReadLine();
}
i used your provided code it runs well but when the code tries to run the script it gives the following error
Get-MessageTrackingLog : Failed to connect to the Microsoft Exchange Transport Log Search service on computer "mycompany.mycompanyv2.com". Verify that a valid computer name was used and the Microsoft Exchange Transport Log Search service is started on the target computer. The error message is: Access is denied.At D:\Documents and Settings\Administrator\Desktop\exchange2007\test.ps1:2 char:23+ get-messagetrackinglog <<<< -messagesubject test | export-csv 'D:\Documents and Settings\Administrator\Desktop\exchange2007\Book1.csv'
plz help
# Kostenloser WEB Space
by Kostenloser WEB Space December 09, 2008 @ 1:16am
Archiv aus Deutschland und aller Welt mit Informationen und Links zum Empfang von Webradio, Web-TV
# re: Using programmatic Impersonation from an ASP.NET Page
by Monty December 22, 2008 @ 10:11am
I am trying to delegate a task to run automatically based on script completion of another task, I basically want the machine the task is running on to reboot itself and relaunch the task when it finishes. However since the webserver is running under network service and the domain may have group policy enabled to prevent elevating permissions of network service I am having a real problem getting this to work. I know for sure this is strictly a permissions issue but I am not sure how to launch my sub-process to reboot as an admin user from a web page, I know this is a horrible idea from a security standpoint but this machine is used for nothing else and only serves up results of performance tests to internal staff (which is the task that needs to restart when completed).

would the code here work for this purpose?
# re: Using programmatic Impersonation from an ASP.NET Page
by Avijit Ghosh Roy January 14, 2009 @ 11:09pm
Hi Rick, It is really a great post as always been with you. I need to know if I use your code for temporary impersonation to export a crystal report document to a shared path will there be any extra thing that I need to do? I am using crystal report viewer to show one report and on that page there is a button called “Send”. On clicking the button the report need to be exported to a shared location in “*.pdf” format. When I am using this piece of code to run the app, it is asking for my credentials to open the crystal report viewer and then it is not opening the report.
# re: Using programmatic Impersonation from an ASP.NET Page
by vishwanath February 10, 2009 @ 12:50am
HI,

I am using word template automation using c# and i dont want to use username and password in the web.config and when i user username and password the application running fine, please tell me some solution so that i dont want use username and password, I deployed application in WinServer 2003

Thanks
Vish
# re: Using programmatic Impersonation from an ASP.NET Page
by Sabarish May 28, 2009 @ 12:11am
Hi,

1.I am using your example to create a Directory in our shared network (FileServer is part of our network)
2.I followed all your steps. It is changing enviromnent user name in the correct order i.e. ASP.NET, myusername and back to ASP.NET.
3. It works successfully when I run the code from Visual studio. Able to create the Directory.

But, I am getting "access denied" error when I am running from IIS.

Any ideas/clues

Thanks a lot for your quick response

Sabarish
# re: Using programmatic Impersonation from an ASP.NET Page
by Femi Ojemuyiwa July 01, 2009 @ 3:50am
Very useful article. For all those having errors. Map the network paths to a drive on your machines first if file access is an issue or better still create a virtual directory to the folder within your application.
# re: Using programmatic Impersonation from an ASP.NET Page
by Syed Assad July 31, 2009 @ 8:07am
Use this Class in your web app, its very clean and you can use it as follows, it also got rid of the acces denied message for me:

using (new Impersonator("uname", "domain", "password"))
{
try
{
....
}
catch (IOException ex)
{
// handle exception
}
}


public class Impersonator :
IDisposable
{
#region Public methods.
// ------------------------------------------------------------------

/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
{
ImpersonateValidUser(userName, domainName, password);
}

// ------------------------------------------------------------------
#endregion

#region IDisposable member.
// ------------------------------------------------------------------

public void Dispose()
{
UndoImpersonation();
}

// ------------------------------------------------------------------
#endregion

#region P/Invoke.
// ------------------------------------------------------------------

[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);

private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;

// ------------------------------------------------------------------
#endregion

#region Private member.
// ------------------------------------------------------------------

/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;

try
{
if (RevertToSelf())
{
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
finally
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
}
}

/// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}

private WindowsImpersonationContext impersonationContext = null;

// ------------------------------------------------------------------
#endregion
}
# re: Using programmatic Impersonation from an ASP.NET Page
by SVK August 04, 2009 @ 3:08am
i am using file copy in asp.net
my asp.net application is on system1
my sqldatabase on system2

everything works fine when i run the application frm system1 ie the system having asp.net application

my file copy code is
File.copy(source,destination)

my source is system2 and destination is system1

uisng the application frm system1 using localhost/copypage.aspx
it works fine i am able to copy frm source to destination
web config has
<identity impersonate="true" userName="system2" password="abc"/>

but if run the same application thr' some other system (mapped & configured thr' IIS) i get error
now i get access denied
how do i go abt
# re: Using programmatic Impersonation from an ASP.NET Page
by Sri August 14, 2009 @ 1:22pm
I want my ASP.NET application (VB.NET Code behind) to create a text file on a remote server(destServerName)

Dim destFilePath As String = "\\destServerName\desttemp\srcfilename.TXT"

Try
File.Create(destFilePath)
Catch ex As Exception
UtilityTier.ApplicationError.ReportError("SIInitAndEduInterface-btnUploadFile", ex.Message)
End Try

Exception Message:- "Logon failure: unknown user name or bad password"

Server destServerName is running Windows 2003

Folder 'desttemp' is having fullcontrol to Everyone,Network Service account
# re: Using programmatic Impersonation from an ASP.NET Page
by Tomas February 17, 2010 @ 9:25am
I owe you a beer ;-), your code helped me a lot! thanks ...
but i still don't know why did not work my previous code ... i am trying to run from asp.net page bat files .. i used this code:

Process p = new Process();
p.StartInfo.UserName = AdHelper.domainAdmin;
p.StartInfo.Password = WMIHelper.securePassword(AdHelper.domainAdminPwd);
p.StartInfo.Domain = AdHelper.domain;
p.StartInfo.UseShellExecute = false;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = "xxx.bat";
p.StartInfo.Arguments = "qwerty";
p.EnableRaisingEvents = false;
bool retVal = p.Start();
log.Info("process start called, result: " + retVal);
p.Close();

when i ran web site from Visual Studio, it works great .. when i moved it to IIS, i get Access Denied exception on the row with p.Start() .. but i am sure, that file permissions to bat file are OK - it works in VS - i saw xxx.bat in taskmanager running under domainAdmin ...
Anybody has idea why this does not work?
It started working when i put before Process declaration that LogonUser and ImpersonateLoggedOnUser stuff ... but i still believe it should work even without it, using startInfo.domain/domainUser/domainPassword...
Thanks a lot, Tomas
# re: Using programmatic Impersonation from an ASP.NET Page
by satish February 21, 2010 @ 6:10pm
hi
I am using the exact code, as u have specified for impersonation, to connect to IBM WebSphere MQ, and it works fine in my local system XP, when I tried the same code on 64 bit Windows server 2003 it gives me bad image format exception, which I believe bcox of a 32 bit dll running on 64 bit OS. I am not sure, whether advapi32 dll or kernel32 dll is causing the problem?

and Will the code for impersonation works fine in 64bit computers?
# re: Using programmatic Impersonation from an ASP.NET Page
by misterandovas February 26, 2010 @ 2:21am
Its fantastics, Thanks a lot,
# re: Using programmatic Impersonation from an ASP.NET Page
by Siderite April 22, 2010 @ 7:20am
Hey, Rick! In my office people are using impersonation on web sites and WCF services. All of them EVENTUALLY get an access denied error that can only be solved by fixing/reinstalling the .Net framework. I am not working on the same projects, but I would like to find out what causes this and how to solve it.

I was wondering if you ever stumbled upon something similar. It seems to be directly or indirectly linked to IIS and impersonation.
# re: Using programmatic Impersonation from an ASP.NET Page
by SpinGee September 30, 2010 @ 8:07am
Hi,
I have asp.net (impersonation = false) application with NTLM authorizaion so only authenticated domain users in group "A" can acces site. I have file system on network server which can acccess only users from group "A" with read/write access. Now i need temporarily impersonate user from group "A" to read files or directories on file server. Im doing it this way:
WindowsImpersonationContext ctx;
ctx = ((WindowsIdentity)User.Identity).Impersonate();
 if (System.IO.File.Exists(filePath))
                    {
                      //...
                    }
ctx.Undo();


It succesfully impersonate current user (Enviroment.User changes from NETWORK_SERVICE to current user). But file operations doesnt work becouse of some Logon failure. What im doing wrong? Strange thing is if i dont use this impersonation , it works.
# re: Using programmatic Impersonation from an ASP.NET Page
by Essay Topics October 19, 2010 @ 11:01pm
I like this particular code because it formalizes the process, is easy to use, and will convert the API errors for you.
 


West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2014